The present invention relates generally to maintaining computer software deployed in a corporate enterprise's information processing systems and, more particularly, to methods and systems for managing security patch updates to the software installed on the servers and workstations of a corporate enterprise.
Most security incidents with computers today are caused by flaws in software referred to as vulnerabilities. The ultimate solution to software vulnerabilities is application of patches. Software vendors generally release patches to fix vulnerabilities in their software products. If applied correctly, patches remove vulnerabilities from computer systems.
An important problem is to determine how often to update the computer systems in the corporate enterprise with the necessary patches. There are many factors that go into determining when patches should be applied. One factor is the number of vulnerabilities to patch. Sorting through all the vulnerabilities to find the relevant vulnerabilities to patch can be tedious and labor-intensive. Before being applied in a production environment, each patch must be tested to ensure that it works properly and does not interfere with existing applications installed on a computer system. In addition, every patch requires installation after testing. If a patch is applied to a critical system, downtime can be very costly.
Although it used to be a common practice among software vendors to release patches as soon as they were available, the common practice today is to release patches on a monthly basis. For example, Microsoft Corporation switched to a monthly patch release cycle in October 2003. “Patch Tuesday” is the second Tuesday of each month and is the day on which Microsoft releases security patches.
In large corporations, keeping thousands of computers up-to-date with security patches requires a great deal of Information Technology (IT) department manpower every month to update the servers and workstations with the latest released patches. This results in numerous people writing different scripts customized to each set of patches. The login script then checks every workstation and applies the patches. Other scripts are used to manually update servers either because they are missed by Microsoft's Systems Management Software or for new server builds, and are applied to machines that access the corporation's network from an Internet Remote Access Service (IRAS). More scripts are written to apply to new workstations that are being built.
There is a need in the art for improved techniques for managing security patch updates to software installed on the servers and workstations of a large enterprise to significantly reduce the amount of monthly work required to maintain backup process scripts. There is a further need for a method that enables the timing of the download and installation of security patch updates, and computer reboot, if necessary, to be under direct control of a system administrator.